/// <summary> /// Resets the policy for the specified <see cref="AttestationType"/> to the default value. /// </summary> /// <param name="attestationType"><see cref="AttestationType"/> whose policy should be reset.</param> /// <param name="signingKey">If provided, specifies the signing key used to sign the request to the attestation service.</param> /// <param name="cancellationToken">Cancellation token used to cancel this operation.</param> /// <returns>An <see cref="AttestationResponse{PolicyResult}"/> with the policy for the specified attestation type.</returns> /// <remarks> /// If the <paramref name="signingKey"/> parameter is not provided, then the policy document sent to the /// attestation service will be unsigned. Unsigned attestation policies are only allowed when the attestation instance is running in AAD mode - if the /// attestation instance is running in Isolated mode, then a signing key and signing certificate MUST be provided to ensure that the caller of the API is authorized to change policy. /// The <see cref="AttestationTokenSigningKey.Certificate"/> parameter MUST be one of the certificates returned by the <see cref="GetPolicyManagementCertificates(CancellationToken)"/> API. /// <para/> /// </remarks> public virtual async Task <AttestationResponse <PolicyModificationResult> > ResetPolicyAsync( AttestationType attestationType, AttestationTokenSigningKey signingKey = default, CancellationToken cancellationToken = default) { using DiagnosticScope scope = _clientDiagnostics.CreateScope($"{nameof(AttestationAdministrationClient)}.{nameof(ResetPolicy)}"); scope.Start(); try { AttestationToken tokenToSet = new AttestationToken(null, signingKey); var result = await _policyClient.ResetAsync(attestationType, tokenToSet.Serialize(), cancellationToken).ConfigureAwait(false); var token = AttestationToken.Deserialize(result.Value.Token, _clientDiagnostics); if (_options.TokenOptions.ValidateToken) { var signers = await GetSignersAsync(true, cancellationToken).ConfigureAwait(false); if (!await token.ValidateTokenAsync(_options.TokenOptions, signers, cancellationToken).ConfigureAwait(false)) { AttestationTokenValidationFailedException.ThrowFailure(signers, token); } } return(new AttestationResponse <PolicyModificationResult>(result.GetRawResponse(), token)); } catch (Exception ex) { scope.Failed(ex); throw; } }
/// <summary> /// Resets the policy for the specified <see cref="AttestationType"/> to the default value. /// </summary> /// <param name="attestationType"><see cref="AttestationType"/> whose policy should be reset.</param> /// <param name="authorizationToken">Signed JSON Web Token signed by one of the policy management certificates used to verify the caller is authorized to reset policy to the default value..</param> /// <param name="cancellationToken"></param> /// <returns>An <see cref="AttestationResponse{PolicyCertificatesModificationResult}"/> with the policy for the specified attestation type.</returns> public virtual async Task <AttestationResponse <PolicyResult> > ResetPolicyAsync(AttestationType attestationType, AttestationToken authorizationToken = default, CancellationToken cancellationToken = default) { using DiagnosticScope scope = _clientDiagnostics.CreateScope($"{nameof(AttestationAdministrationClient)}.{nameof(ResetPolicy)}"); scope.Start(); try { if (authorizationToken == null) { authorizationToken = new UnsecuredAttestationToken(); } var result = await _policyClient.ResetAsync(attestationType, authorizationToken.ToString(), cancellationToken).ConfigureAwait(false); var token = new AttestationToken(result.Value.Token); if (_options.ValidateAttestationTokens) { token.ValidateToken(GetSigners(), _options.ValidationCallback); } return(new AttestationResponse <PolicyResult>(result.GetRawResponse(), token)); } catch (Exception ex) { scope.Failed(ex); throw; } }
/// <summary> /// Resets the policy for the specified <see cref="AttestationType"/> to the default value. /// </summary> /// <param name="attestationType"><see cref="AttestationType"/> whose policy should be reset.</param> /// <param name="signingKey">If provided, specifies the signing key used to sign the request to the attestation service.</param> /// <param name="signingCertificate">If provided, specifies the X.509 certificate which will be used to validate the request with the attestation service.</param> /// <param name="cancellationToken">Cancellation token used to cancel this operation.</param> /// <returns>An <see cref="AttestationResponse{PolicyResult}"/> with the policy for the specified attestation type.</returns> /// <remarks> /// The <paramref name="signingKey"/> and <paramref name="signingCertificate"/> parameters are optional, but if one is provided the other must also be provided. /// <para/> /// If the <paramref name="signingKey"/> and <paramref name="signingCertificate"/> parameters are not provided, then the policy document sent to the /// attestation service will be unsigned. Unsigned attestation policies are only allowed when the attestation instance is running in AAD mode - if the /// attestation instance is running in Isolated mode, then a signing key and signing certificate MUST be provided to ensure that the caller of the API is authorized to change policy. /// The <paramref name="signingCertificate"/> parameter MUST be one of the certificates returned by the <see cref="GetPolicyManagementCertificates(CancellationToken)"/> API. /// <para/> /// </remarks> public virtual async Task <AttestationResponse <PolicyResult> > ResetPolicyAsync( AttestationType attestationType, AsymmetricAlgorithm signingKey = default, X509Certificate2 signingCertificate = default, CancellationToken cancellationToken = default) { if (signingKey is null && signingCertificate is not null || signingCertificate is null && signingKey is not null) { throw new ArgumentException($"If you specify '{nameof(signingKey)}' or '{nameof(signingCertificate)}', you must also specify '{nameof(signingCertificate)}' or '{nameof(signingKey)}'."); } using DiagnosticScope scope = _clientDiagnostics.CreateScope($"{nameof(AttestationAdministrationClient)}.{nameof(ResetPolicy)}"); scope.Start(); try { AttestationToken tokenToSet; if (signingKey is null) { tokenToSet = new UnsecuredAttestationToken(); } else { tokenToSet = new SecuredAttestationToken(signingKey, signingCertificate); } var result = await _policyClient.ResetAsync(attestationType, tokenToSet.ToString(), cancellationToken).ConfigureAwait(false); var token = new AttestationToken(result.Value.Token); if (_options.ValidateAttestationTokens) { token.ValidateToken(GetSigners(), _options.ValidationCallback); } return(new AttestationResponse <PolicyResult>(result.GetRawResponse(), token)); } catch (Exception ex) { scope.Failed(ex); throw; } }